Cross-Platform Java Sandbox Exploit

DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.

Re:Makes me wonder...

[I confirm I'm not a]

...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article [silicon.com], that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.

Re:At least...

[Anonymous Coward]

That's the way Microsoft typically tried to do it before everyone started bitching about them doing it that way. Of course Sun does it that way and they're the darling hero. Slashdot is Fox News for people who should know better.

Re:At least...

[Anonymous Coward]

It happens all the time with Windows. The difference is that when the /. crowd finds out that Microsoft knew about an exploit a month before they release the patch it turns into another bashing session.

Opera not affected

[TheJavaGuy]

This bug affected IE and Firefox, but not the Opera Browser [opera.com].

Re:Windows and Linux?

[DaEMoN128]

There are already proof of concept viri that work on both linux and windows.
http://antivirus.about.com/library/weekly/aa032801 a.htm/ [about.com]
http://www.itworld.com/AppDev/1312/IWD010328hnvirl in// [itworld.com]
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a /. article if i remember right, but i can't seem to get the right search terms to find it.

WARNING!

[prandal]

java.sun.com is STILL dishing out J2re-1.4.2_05.

Be sure to get the right one from java.sun.com/j2se

Re:Opera not affected

[Anonymous Coward]

Actually the Java in Opera is even worse: http://archives.neohapsis.com/archives/bugtraq/200 4-11/0250.html [neohapsis.com]

More detailed info ...

[Anonymous Coward]

From the horses mouth right here [jouko.iki.fi]. The issue is actually with the plug-in, not Java itself. In brief, you can load a Java class in an applet via JavaScript using getClass().forName() and use that reference to make calls outside the confines of the sandbox.

java.com still offering BAD version

[prandal]

www.java.com is only offering j2re-1.4.2_05, a vulnerable version.

Version 1.5.0 is available from java.sun.com [sun.com].

WAKE UP SUN!

Java language != Java Sandbox

[Cyphus]

I agree with you, browsers aren't responsible for the sandboxing, and it is Sun's fault for having a buggy plugin. But sandboxing is not a function of the language - it is solely a function of the runtime. I could use a different runtime with the same compiled Java code and not have the problem. Therefore its not a problem with the language.

Re:No root privilege escalation

[hackstraw]

A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

BFD. Most machines that are used for surfing the web are single user machines and having that users stuff trashed is the same as trashing the whole machine.

Re:java.com still offering BAD version

[lokedhs]

That's why you should go to java.sun.com [sun.com], not www.java.com [java.com]

Re:Where's the patch?

[crazyphilman]

I just downloaded 1.4.2_06 from Sun's website. Go to java.sun.com and look for J2SE. You can get both 1.4.2_06 and 1.5 there, on the page. I didn't use the automagic update, myself, so I don't know what's going on there.

Auto-update does not seem to work (yet?)

[Guus.der.Kinderen]

Sadly, the "Update Now" button in my J2SE 1.4.2_05 RE Plug-in Control Panel still informs me that I already have the latest version installed. You'll probably have to update manually, for now.

Another thing: the auto-update timer in that same Control Panel is set to go off once a month by default. You might want to turn that up a notch for fixes like these.

Re:Java == Platform

[tolan-b]

Yes, it's a vulnerability in the Sun implementation of the Java platform, but not Java the language or the Java platform generally.

There are other Java runtimes, which are allowed to use the name Java because they pass the conformance tests (such as IBM's Java runtime), they would not be vulnerable to this exploit.

Re:Not that critical..

[DeadMeat (TM)]

Why doesn't the JRE have an auto-update feature enable by default on install, easily disabled from the control panel for those who are savvy (and stays disabled, unlike Acrobat Reader)?

As of one of the 1.4.2_0x releases, it does.

Re:Windows and Linux?

[jvervloet]

There was also a /. article if i remember right, but i can't seem to get the right search terms to find it.

I found this one [slashdot.org]this one using "cross-platform virus site:slashdot.org [google.be]".

Re:Java *IS* OPEN SOURCE

[Zoolander]

Actually, now you can download the source to Java 6 and soon you will be able to submit patches. It's opening up bit by bit:
Patches [java.net]

Re:No root privilege escalation

[radtea]

The difference is that running as a non-admin on Windows is a huge pain, as many programs don't play nicely with non-admin accounts. Windows has a huge legacy of "one user per machine" thinking in its applications development history.

That means that many apps will not run well under non-admin accounts on Windows. Try it sometime and see. Talk to any tech-support person and ask what fraction of calls they get due to people trying to run under non-admin accounts (there's been a spate of this lately as folks upgrade to SP 2 and decide to get a bit more serious about security.)

In comparison, I've run Unix of one kind or another since the 80's and have never had to be root to do anything other than install software or do configuration stuff.

--Tom

Mac

[JavaLord]

I tested my PC, which the sample code worked on, but it didn't seem to work on my mac which runs OSX 10.3.6 in safari or firefox. Safari comes back with a "Class undefined" and firefox just seems to ignore the javascript alert at the end.

Anyone else try this on the mac and have similar results?

Re:Windows and Linux?

[syates21]

Time to re-calibrate the dial on ye olde time machine dude.

For at least a decade there have been "Windows-based systems" with file system access control much more sophisticated than anything offered by Linux (at least in typical configurations using rwxrwxrwx style permissions) even today.

Not to say the hard shell on most Windows systems doesn't more closely resemble swiss cheese, but you don't need to resort to inaccurate statements to make that case.

Re:there have been lots of those before

[Anonymous Coward]

So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.

Not on desktop perhaps, but how about cellphones? A lot of the phones on the market have support for user-installable Java apps and many of these phones don't support native apps at all because of security problems.

Found in April not June

[BovineOne]

"found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday."

But according to the Bugtraq posting [neohapsis.com] Sun Microsystems was informed on April 29, 2004.

I was hit last night by this exploit

[yoDon]

Only on slashdot would a comment that this exploit is "Not that critical" receive a "Score:4, Insightful" rating.

Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.

Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.

Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).

Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.

I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.

"Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).

There goes my day...

-Don

Incorrect

[Anonymous Coward]

Sandboxing is exclusively a function of the language and its runtime, in this case Java.

No. That's incorrect. It's neither function of the browser (by definition, plug-in is an extension that's not part of browser core), NOR function of the language or its runtime. It's because of Sun's Java plug-ing. So don't go thrashing the language or VM, even if they come from the same company as the plug-in in question.

There's nothing wrong with Java the language or its runtime that fundamentally causes problems like this.